Recent searches


No recent searches

Sean Cusick's Avatar

Sean Cusick

Joined Apr 14, 2021

·

Last activity Feb 11, 2025

Zendesk Product Manager

Following

0

Follower

1

Total activity

164

Votes

28

Subscriptions

96

ACTIVITY OVERVIEW

Latest activity by Sean Cusick

Sean Cusick commented,

CommentSetting up your email channel

Hi Anne-Flore, Yes, this workflow requires that you replace existing addresses to setup the integration. After you have done that you could use either the Select an Address app, or the API to adjust the recipient value on the ticket. Both of these options are basically doing the same thing by making an API call to choose the address you want notifications to be sent from. 

Ticket value: recipient 
“The original recipient e-mail address of the ticket. Notification emails for the ticket are sent from this address”

View comment · Posted Dec 17, 2024 · Sean Cusick

0

Followers

1

Vote

0

Comments


Sean Cusick commented,

CommentSetting up your email channel

Hi Jorge and mfg,

 

Because this feature passes the responsibility of outbound sending over to your domain things like bounces, delivery reports and read receipts would happen at that sending domain (though read receipts require modifying the body of the email, which should be approached with caution and testing).

 

All other Zendesk functionality - like suspension causes for automated traffic and behavior around BCC submissions - would not change. Though you can choose to modify the structure of an inbound BCC'd email so that you can achieve the desired behavior at the forwarding domain. 

We are tracking feature requests, so I would encourage you to test in a sandbox account and let us know what you think in the Product Feedback section of our Community pages

View comment · Posted Nov 04, 2024 · Sean Cusick

0

Followers

0

Votes

0

Comments


Sean Cusick created an article,

ArticleAnnouncements
Announced on Rollout on
October 31, 2024 October 31, 2024

Starting today, you can configure your Zendesk account to use the new Authenticated SMTP Connector to relay authenticated email. The Authenticated SMTP Connector lets you connect a non-Zendesk email server to your Zendesk Support instance. It is specifically designed for organizations that prefer to use their own email servers or cannot use third-party email servers due to internal corporate policies, data regulations, or encryption needs.

This announcement includes the following topics:

What's changing?

You can now set up the Authenticated SMTP Connector to relay authenticated email between your business server and Zendesk.

There are two different ways you can set up the connector to meet the needs of your company. Each has a distinctive way of relaying email, so it's important to understand how you intend to use it.

  • Use two-way authenticated relay if you need to create a secure and authenticated two-way inbound/outbound connection with your email domain or service and Zendesk's inbound/outbound servers. This requires more setup and configuration with your domain or email service, but it is ideal for on-premise servers or domains that leverage additional layers of security on inbound/outbound traffic, like Mimecast.
  • Use outbound-only authenticated relay to use standard auto-forwarding of inbound email traffic to Zendesk, but allow for an authenticated outbound connection with your email domain or service, so all outbound sending for the connected addresses occurs through your domain or email service. This setup allows for cloud-based email services that don’t offer authenticated outbound relays to other systems, like Exchange Online, Office365 Cloud, and Google Workspace.

Why is Zendesk making this change?

Our customers requested more secure methods to have their email traffic arrive at Zendesk, and for Zendesk to send outbound traffic through.

The Authenticated SMTP Connector:

  • Ensures outbound TLS encryption (inbound also with the two-way version).
  • Allows for authoritative sending (SPF/DKIM) and delivery tracking from your domain.
  • More easily satisfies information handling, redaction, and compliance requirements or policies before outbound sending.
  • Provides actionable visibility into unauthenticated inbound email ticket creation and update events (two-way version only).

While the Authenticated SMTP Connector is platform-agnostic and relies on well-established protocols that already exist within most email services, we created two versions to better suit the needs of our customers' email needs and configurations.

What do I need to do?

No action is required. If you don't need authenticated email relays, you can continue using Zendesk as you have up until now.

If you're interested in using the Authenticated SMTP Connector, you can learn more here.

If you have feedback or questions related to this announcement, visit our community forum where we collect and manage customer product feedback. For general assistance with your Zendesk products, contact Zendesk Customer Support.

 

 

 

Edited Oct 31, 2024 · Sean Cusick

1

Follower

4

Votes

0

Comments


Sean Cusick created an article,

ArticleUsing email

This summer, Zendesk identified a vulnerability through our bug bounty program which we worked with a researcher to address. We have no evidence that this vulnerability was exploited by a bad actor. While as the researcher shared in a public post, the specific issue they presented has been remediated, it is important that we provide clarity about what happened. This “supply chain” vulnerability, a type of vulnerability where bad actors may potentially attempt to exploit interconnected systems in order to breach organizations, reflects the type of security risks faced by many companies due to the way modern business tools are linked.

While this specific issue has been resolved, to further safeguard against similar and iterative exploitation attempts, we recommend companies implement best practices around user verification, including employing two-step user/identity verification, using subdomains for support emails (e.g., contact@support.example.com), and ensuring that third-party systems handling sensitive information are properly secured.

We also want to address the Bug Bounty program associated with this case. Although the researcher did initially submit the vulnerability through our established process, they violated key ethical principles by directly contacting third parties about their report prior to remediation. This was in violation of bug bounty terms of service, which are industry standard and intended to protect the white hat community while also supporting responsible disclosure. This breach of trust resulted in the forfeiture of their reward, as we maintain strict standards for responsible disclosure.

Edited Oct 14, 2024 · Sean Cusick

247

Followers

34

Votes

0

Comments


Sean Cusick created an article,

ArticleUsing email

This is a setup recommendations article for the Authenticated SMTP Connector EAP (outbound version) for use with Microsoft cloud-based email services. If these do not work for you, you may need to open a ticket with Microsoft for more specific recommendations. 

What we refer to as the “outbound” portion SMTP Relay is compatible with Exchange/Outlook 365. However, MS email services do not appear to allow the addition of SMTP AUTH credentials with what we’d consider to be the “inbound” half of the SMTP Relay. 

Accounts wishing to use Microsoft cloud-based email services should employ the version of the feature described in this setup article, which allows for standard auto-forwarding into Zendesk (see last paragraph) but can create an authenticated connection for outbound sending. 

Prior to setup in Zendesk, you’ll need to enable SMTP AUTH for the address in Outlook. See Enable SMTP AUTH for specific mailboxes for more info. This is likely a missing step for many customers, and you may need to work with your Office 365 Admins to enable the setting.

The following example details come from How to set up SMTP AUTH client submission:

Device or Application setting Value
Server/smart host smtp.office365.com
Port Port 587 (recommended) or port 25
Username/email address and password Enter the sign-in credentials of the hosted mailbox being used

 

Another consideration is an administrative page in Microsoft cloud-based email services that should be examined. It is called "Block access for unknown or unsupported device platform." Even though you may have enabled SMTP AUTH, that alone might not automatically allow you to use this integration. You may want to ensure that Linux is not excluded from access as a device platform:

 

Block Access.png

 

In addition to enabling the feature for outbound from Zendesk, you must set up auto-forwarding into Zendesk so that both the initial support requests and ticket updates can be forwarded to Zendesk for the purpose of creating and updating tickets.

Setting up only the outbound portion of an existing address is not possible. You must delete the existing address and follow the setup process to establish the outbound connection. This MS article describes that process, though we have received feedback that Microsoft might also require the enabling of an outbound spam policy rule before auto-forwarding will function correctly.  If we are able to obtain more specific information about that spam policy we will post it here. 

Edited Oct 17, 2024 · Sean Cusick

1

Follower

2

Votes

0

Comments


Sean Cusick commented,

CommentGetting started with email

Hi Noelle and Tim, You should select your external/branded address as the default address to have notifications for those newly created tickets be sent from your branded address. 

View comment · Posted Sep 24, 2024 · Sean Cusick

0

Followers

0

Votes

0

Comments


Sean Cusick created an article,

ArticleUsing email

Available on all Suite plansAvailable on all Support plans

Many Zendesk accounts utilize triggers to automatically notify users that their email has been received and a ticket has been created. However, when the user is another Zendesk account, these triggers can result in an infinite mail loop. In such cases, one Zendesk account automatically creates a ticket and sends a message to the other account, which then does the same in return, creating a continuous cycle.

To address this issue, Zendesk has implemented several methods to prevent mail loops between accounts.

This article contains the following sections:

How Zendesk suppresses automatic email notifications

Zendesk Support differentiates between automatic email notifications and all other email notifications:

  • Automatic email notifications are emails generated by Zendesk Support without any action from an agent. When a ticket is automatically created from an incoming email, an automatic message is sent.
  • All other email notifications include emails generated by Zendesk Support based on an agent's action. For example, when an agent adds a comment to a ticket, an email notification is sent.

When your instance of Zendesk Support receives an email from an end-user that it identifies as another Zendesk account, it performs the following steps:

  1. Creates a ticket from that email or threads the reply back into their original ticket, using the sending email address of the requester.
  2. Suppresses triggers for automatic email notifications.

Email notification triggers are left intact, so when an agent adds a comment to a ticket, an email notification is still sent to the Zendesk account that submitted the original email. The following flag is added to the comment:

About email notifications and ticket sharing agreements

When you send email to another Zendesk account, automatic email notifications are suppressed, but email notifications generated by an agent action are sent. This can cause problems if you have a ticket sharing agreement with the other Zendesk account. In that case, it's possible to create an endless loop of notifications if the email address for the user in the CC or Requester field is the support address of a Zendesk account you have a sharing agreement with.

To prevent endless loops, Zendesk Support automatically maintains a list of Zendesk partner addresses—that is, a list of all the support addresses for each Zendesk account you have a sharing agreement with.

When a user is created in Zendesk Support, the email address is checked against the list of partner addresses. If the address is on the list, then all email notifications, including those generated by agent action, will be suppressed to that user. On a ticket, you'll see a flag when a user on your list of Zendesk partner addresses is in the CC or Requester field. The warning flag lets you know that email will not be sent to that user.

Likewise, email sent to Zendesk Support from any email address on your partner addresses list will be rejected by Zendesk Support because there is already a sharing agreement in place. If you need to, you can create a ticket with this user as requester and share the ticket back to the Zendesk account you already have a sharing agreement with.

If you have questions or need assistance with Zendesk email, contact Zendesk Customer Support.

Edited Sep 19, 2024 · Sean Cusick

0

Followers

1

Vote

0

Comments


Sean Cusick created an article,

ArticleUsing email

Available on all Suite plansAvailable on all Support plans

Quick Look: Admin Center > Channels > Talk and email > Email

The Authenticated SMTP Connector lets you connect a non-Zendesk email server to your Zendesk Support instance. It is specifically designed for organizations that prefer to use their own email servers or cannot use third-party email servers due to internal corporate policies, data regulations, or encryption needs.

In addition to two-way authenticated relay, the connector can be set up for outbound-only authenticated email. This setup allows for standard auto-forwarding of inbound email traffic to Zendesk. All outbound sending for the connected addresses occurs through your domain or email service through an authenticated outbound connection. Although this option uses standard auto-forwarding, it requires a different setup that cannot leverage existing addresses using standard auto-forwarding.

Understanding how email is transmitted with outbound-only authentication

SMTP is not new to Zendesk; Zendesk currently uses an SMTP relay for all inbound and outbound emails (except Gmail connector).

The outbound Authenticated SMTP Connector functions like the current SMTP process for email traffic, except that it relays email to your company mail server from Zendesk and passes secure credentials (username and password) as part of the outbound relay. The inbound portion of forwarding uses standard Zendesk auto-forwarding. Services like Office365 Cloud, Exchange Online, and Google Workspace can use standard auto-forwarding to Zendesk but can let Zendesk pass the authenticated outbound traffic for those services to send to the intended recipients.

Figure 1. Email flow with the Authenticated SMTP Connector

The main advantage of this solution is that it allows you to send and receive email traffic to and from your customers using your domain’s email services, taking advantage of the sending and security features while ensuring encrypted and secure relays from Zendesk.

Once configured, here’s how the Authenticated SMTP Connector works in a typical email workflow with outbound-only authentication:

  1. User submits support request: When an end user or agent emails a support request to your domain’s support address, the email will be forwarded to Zendesk using standard auto-forwarding.
  2. Ticket created: The email is received, and a ticket is created in Zendesk.
  3. Ticket notifications: Notifications are sent back to your email domain or service using your designated and authenticated SMTP-ready support address for outbound sending.

Considerations

  • CCs and followers must be turned on in your account.
  • Because the connector relies on outbound authenticated relays to occur, we recommend testing this feature in your Zendesk sandbox environment before using it in production. This is to give your domain admin, IT team, or email provider time to understand the workflow and relationship between the two resources fully.
  • Do not add the same support address in your sandbox and production accounts. This may result in inconsistent behavior with Zendesk or your email server. Use your sandbox environment to test, then delete all the test domains and support addresses before adding them to your production account.
  • During initial setup, email sent through your existing support addresses for the account or brand will not be interrupted and continue to function normally.
  • After you add a support address for outbound sending through the Authenticated SMTP Connector and the address is verified, Zendesk will begin sending email through the authenticated domain.
  • Up to 50 support addresses can be added to Zendesk for outbound sending through a single SMTP domain. You can add up to four domains for a total of 200 addresses, but only 50 support addresses can be added for each domain.
  • Adding unique credentials is recommended for each address or brand so you can track traffic with greater specificity. Although this requires more work and credentials to manage, it can be helpful when rotating credentials or mitigating a possible security issue in which a set of credentials may have become compromised.
  • Graylisting for this traffic is not recommended, particularly for verification emails. These emails complete the outbound relay and confirm to Zendesk that traffic is successful.
  • You should add the Zendesk IPs to your network allowlist to ensure a reliable connection.
  • You will want to verify that your email service is signing your outbound traffic with your DKIM signature.
  • If you disable the support addresses using the feature and continue to forward traffic to Zendesk, it will still create and update tickets, though any updates for those tickets will not be using an authenticated outbound connection. Those notifications will be sent from our servers.

Important information about email headers

Email headers, (such as To, From, CC, and Reply-To) contain important data and metadata about an email message.

Your administrator may want to change email headers for several reasons. However, it’s important to note that some header fields should never be altered since they are critical for ensuring the correct delivery and integrity of the message. Changing standard headers at the account's email domain before outbound sending is not supported. Any issues that emerge as a result of this should be investigated and corrected at the external domain.

The below headers should persist throughout the outbound relay process:

Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All
X-Mailer: Zendesk Mailer
X-Zendesk-From-Account-Id: ******
X-Zendesk-Email-Id: ************************

Changing your email header fields doesn’t change how Zendesk works; it only changes how you send your outbound messages and how you might receive responses. The relationships between the requester, agents, and CCs in the email and subsequent ticket should not change. 

The Authenticated SMTP Connector doesn't give you the ability to send email on behalf of your Zendesk system support addresses (example: support@yoursubdomain.zendesk.com).

Configuring the connector for outbound-only authenticated email relay

Share these configuration steps with your domain admin or IT team, as they involve obtaining and providing credentials that must be securely transferred and added to your business email servers and Zendesk account.

There are three steps to configuring the connector:
  1. Forwarding email to Zendesk
  2. Adding a forwarding address
  3. Verifying the connection

Forwarding email to Zendesk

Set up forwarding on your business mail server to forward emails to Zendesk.

Important: Be sure to set up automatic forwarding at the server level rather than manually forwarding or auto-forwarding from an email client (Outlook, Mac Mail, etc). Manually forwarding an email that originates from an external support address results in a suspended ticket.
Refer to your email provider's documentation for more information about forwarding email. Zendesk can't provide support for third-party products, such as email clients. Contact your email provider if you need assistance setting up automatic forwarding.

Zendesk Support does not support multi-forwarding, or forwarding that goes through multiple locations before being sent to the Zendesk support address. If multi-forwarding is configured, the requester will be the first address that Zendesk can find in the Reply:To or From: fields in the email headers. This could produce inconsistent results and is not supported.

Adding a forwarding address

Add your external support address to Zendesk. When you add your support address, your email will be verified, and you'll know whether you've set up email forwarding correctly.

To add a forwarding address

  1. In Admin Center, click Channels in the sidebar, then select Talk and email > Email.
  2. Under Support addresses, navigate to the brand to which you want to add a support address.
  3. Click Add address > Connect external address.
  4. Select Email forwarding/Authenticated SMTP Connector, enter the support address, and click Next.

  5. Enter your outbound credentials. You will need the secure credentials for your domain (host, username, and password) obtained from your domain administrator, IT team, or service provider to complete this step. This information allows Zendesk to relay outbound traffic to your domain for sending outbound traffic to your users and ensures outbound TLS encryption. When you're finished, click Save.

  6. The next dialog box will instruct you to set up auto-forwarding. If you haven't already set this up, see Forwarding email to Zendesk.

    Click Next.

    The Checking your setup dialog box will appear, and Zendesk will send a test verification email that may take a few minutes to complete.

  7. A success message displays if the test verification email is successful. Click Finish.

If there are problems with the test verification email for auto-forwarding, you may see the dialog box below. You may need to contact your email admin or service provider to ensure you have setup auto-forwarding correctly. If you have confirmed with your provider that forwarding is functioning as expected, you can contact Zendesk Customer Support.

Verifying the connection

After successfully adding your support address, you must verify the outbound SMTP configuration. This will send a verification email that verifies that you have completed the connection. See How to verify forwarding.

Setup recommendations when using Microsoft cloud-based email services

Outbound email relay using the Authenticated SMTP Connector is compatible with Microsoft Exchange Server and Microsoft 365. Microsoft email services don't allow the addition of SMTP authentication credentials for inbound email relay. Accounts wishing to use Microsoft cloud-based email services can configure auto-forwarding to Zendesk and create an authenticated connection for outbound sending, as described in this article.

Prior to setup in Zendesk, you’ll need to enable SMTP authentication for the address in Exchange Online. See Enable SMTP AUTH for specific mailboxes. This is likely a missing step for many customers, and you may need to work with your Microsoft admin to enable the setting.

The following is an example setup, as described in How to set up SMTP AUTH client submission.

Device or application setting Value
Server/smart host smtp.office365.com
Port Port 587 (recommended) or port 25
Username/email address and password Enter the sign-in credentials of the hosted mailbox being used

Also, review the "Block access for unknown or unsupported device platform" administrative page in Microsoft cloud-based email services. Even though you may have enabled SMTP authentication, you may have to check other settings, such as ensuring that Linux is not excluded from access as a device platform. If you need assistance, contact Microsoft for more specific recommendations.

Signing your outbound email traffic with your DKIM signature

As described in Digitally signing your email with DKIM, Zendesk Support allows DKIM authentication. DKIM provides a way to authenticate that an email was sent from the domain it claims to be from. This is done by attaching a digital signature to the outgoing emails, which can be verified against a public cryptographic key published in the domain's DNS records.

When using the Authenticated SMTP Connector, Zendesk will not sign outbound traffic with our d=zendesk.com DKIM tag within the header. If you have enabled digital signatures in Zendesk after adding the required CNAME records at your domain, we will sign the outbound traffic on your behalf and add the d=yourdomain.com DKIM tag to the outbound header.

Your domain can re-sign with your DKIM signature, if you choose. If you opt not to do this, test and ensure you’re not inadvertently overwriting the signature we’ve added for your domain before sending outbound production traffic.

Your domain may need to ignore SPF authority when we relay outbound traffic from Zendesk to your email service, as we will be creating a “trusted sender” relationship with your email service, and you will be doing the final authoritative outbound sending (SPF and/or DKIM) to your users.

Zendesk strongly recommends testing in a sandbox environment with test end users to validate that the SPF/DKIM/DMARC checks are all passing.

Rotating or changing credentials

If you need to change the credentials associated with one or many support addresses, you will need to edit or delete the addresses and update or re-add them with the new credentials. If there was no change to your auto-forwarding rules, then you should only need to add the new credentials (for the outbound connection). 

Disconnecting the connector

If you want to discontinue use of the connector, consider doing so during a low-traffic time. The process will take a few minutes, and you may need to coordinate with your Zendesk team to pause making ticket updates until the feature has been disconnected and support addresses have been re-added to maintain the use of your branded addresses. 

Depending on how many connected support addresses you have, you may want to leverage the API’s support addresses endpoint for faster results. Only one address can be deleted at a time, but once you have the list of SMTP-connected address IDs, the calls can be made rapidly. Authenticated SMTP Connector support addresses cannot be added through the API. Credentials must be added in Admin Center to create the necessary connection.

Edited Jan 07, 2025 · Sean Cusick

0

Followers

8

Votes

3

Comments


Sean Cusick commented,

CommentSetting up your email channel

Hi James, We are currently investigating ways that we might be able to modify the inbound portion of the feature to allow users of Exchange cloud-based services to use it. In addition to these changes we will also be releasing an Exchange Connector EAP soon, which will integrate with Microsoft cloud email services via an API. 

View comment · Posted Aug 20, 2024 · Sean Cusick

0

Followers

0

Votes

0

Comments


Sean Cusick commented,

Community comment Feedback - Ticketing system (Support)

Thank-you everybody for your interest and feedback. Here is the EAP Intro and Signup Form doc.  All of the currently available information we have is contained within that page. 

View comment · Posted May 07, 2024 · Sean Cusick

0

Followers

0

Votes

0

Comments